1

Considering a Cisco ASA (5500-X) firewall for our internet edge in front of our web cluster.

At the moment, we use a Linux box with iptables. A log analysis system detects brute-force attacks on WordPress blogs, forum spam, hacking attempts, and much more. Illicit activity will result in a short-lived block of the offending IP address.

The list of blocked IPs, however, is around 30,000 IPv4 addresses. Can we load these into a Cisco 5500-X using an API or similar, and how many IP addresses / rules can it handle?

We currently use ipset (a hashtable) to deal with the large number of IP blocks.

Thanks!

sune
  • 51
  • 3
  • How much RAM does the ASA have? (I can't answer the question, but my experience does indicate that the amount of RAM in the ASA will have a significant impact on the answer.) – HopelessN00b Feb 05 '14 at 12:55
  • We are looking at one with 8 GB of memory, but I think some have 16 GB. – sune Feb 06 '14 at 13:27

1 Answers1

1

Below is a thread from the ASA Business Unit. This is for an ASA 5520 (only 512 MB of RAM) and it serviced 300k ACE (access control expressions; e.g. lines in an ACL)

https://supportforums.cisco.com/thread/2064748

In short even an older non-X-series ASA like the 5520 could handle 300,000 one line denies - so handling 10% of that should be a non-issue.

Jason Seemann
  • 1,120
  • 6
  • 9